What This Guide Covers
In this article you’ll learn:
– What the full DORA compliance checklist includes
– How to assess your current level of DORA readiness
– Key DORA requirements for 2025 across risk, incidents, outsourcing, and resilience testing
– How to use the checklist to run a practical gap analysis
– Where to download the complete PDF & Excel checklist
Understanding the DORA Compliance Checklist (2025 Edition)
The Digital Operational Resilience Act (DORA) introduces one of the most comprehensive ICT risk and resilience frameworks in the EU. From January 2025 onward, financial entities and critical ICT service providers must demonstrate that they can identify, manage and withstand ICT disruptions without jeopardizing clients or market stability.
As the DORA Regulation 2025 takes effect, organisations are prioritising clarity, documentation and operational readiness across all ICT functions.
To support this shift, we created a full DORA compliance checklist — a practical, actionable resource that translates regulatory text into concrete steps your team can execute.
Below is a preview of what it contains and how to use it during your DORA journey.
What’s Included in the Full DORA Compliance Checklist?
The checklist follows the structure of the Regulation and is divided into five domains:
1. ICT Risk Management Framework
DORA requires a unified, organisation-wide ICT risk management structure.
Effective ICT risk management under DORA requires clear governance, documented responsibilities and continuous monitoring of critical assets.
The full checklist covers:
- Governance setup and defined responsibilities
- ICT risk identification and classification
- Preventive and detective security controls
- ICT business continuity planning
- Documentation, traceability and evidence management
This section helps you understand whether your current policies align with mandatory expectations.
2. ICT-Related Incident Management & Reporting
DORA introduces strict obligations for classifying, recording and reporting ICT-related incidents.
The checklist outlines:
- Standardised incident taxonomy & severity levels
- Internal and external notification flows
- EBA/ESMA/EIOPA reporting timelines
- Documentation and evidence collection
- Post-incident analysis and remediation
This helps your team identify whether processes need redesigning before regulatory inspections.
3. Digital Operational Resilience Testing
Entities must perform regular resilience testing, in proportion to their size and risk profile.
These testing practices form a core part of the DORA requirements that all financial and ICT service providers must meet.
The checklist includes:
- Annual resilience testing expectations
- Threat-led penetration testing (TLPT) conditions
- Scenario-based testing
- Coverage requirements for critical functions
This section allows you to compare your current testing strategy with supervisory expectations.
4. ICT Third-Party Risk Management (TPRM)
DORA introduces the EU’s strictest rules for outsourcing and the use of ICT third-party service providers.
The checklist covers:
- Vendor register completeness and accuracy
- Mandatory contractual clauses
- Monitoring, performance reviews and risk scoring
- Exit strategies, portability and termination procedures
This helps organisations identify gaps that could lead to supervisory findings.
5. Information Sharing Arrangements
Under DORA, organisations may join trusted cyber-threat intelligence communities.
The checklist addresses:
- Eligibility and participation criteria
- Confidentiality safeguards
- Safe-sharing processes
- Expected benefits such as faster detection and sector insights
How to Use the DORA Compliance Checklist
Phase 1 — Gap Scan
Begin with a high-level review across all five domains to understand your current maturity.
Phase 2 — Prioritisation
Focus on the areas with greatest exposure: governance, incident reporting, TPRM and resilience testing.
Phase 3 — Implementation Tracking
Use the checklist as a monthly progress tool to ensure consistent advancement toward full compliance.
Many organisations distribute the checklist across ICT, Risk, Compliance and Operations teams to maintain a shared understanding of obligations.
The preview above covers only the structure.
The full version includes:
✔ sub-requirements
✔ maturity indicators
✔ implementation notes
✔ evidence examples
✔ self-assessment scoring
Who Should Use This Checklist?
The checklist is designed for:
- Banks, brokers, PSPs, wealth managers and investment firms
- Crypto-asset service providers (MiCAR entities)
- ICT third-party service providers
- Internal audit, compliance and risk teams
- Operational resilience functions
If your organisation falls under DORA (or supports entities that do), this resource will help you structure your approach and reduce complexity.